[Samba] Kerberos problems with only some servers

Arne Zachlod arne at nerdkeller.org
Thu Apr 29 12:02:13 UTC 2021


Thanks for your interest, I pasted the files below.

In the meantime I tried taking the adfs01 server out of the domain and 
rejoin it, but that didn't change anything. Still the problem that my 
users are unable to access the shares.

Collected config  --- 2021-04-29-13:55 -----------

Hostname: adfs01
DNS Domain: int.samdom.de
FQDN: adfs01.int.samdom.de
ipaddress: 10.1.1.212

-----------

Kerberos SRV _kerberos._tcp.int.samdom.de record verified ok, sample 
output:
Server:		10.1.1.215
Address:	10.1.1.215#53

_kerberos._tcp.int.samdom.de	service = 0 100 88 addc12.int.samdom.de.
_kerberos._tcp.int.samdom.de	service = 0 100 88 addc16.int.samdom.de.
_kerberos._tcp.int.samdom.de	service = 0 100 88 addc08.int.samdom.de.
_kerberos._tcp.int.samdom.de	service = 0 100 88 addc13.int.samdom.de.
Samba is running as a Unix domain member

-----------
        Checking file: /etc/os-release

NAME="Ubuntu"
VERSION="16.04.7 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.7 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

-----------


This computer is running Ubuntu 16.04.7 LTS x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
     link/ether 52:54:00:18:cc:3c brd ff:ff:ff:ff:ff:ff
     inet 10.1.1.212/24 brd 10.1.1.255 scope global ens3
     inet6 fe80::5054:ff:fe18:cc3c/64 scope link

-----------
        Checking file: /etc/hosts

127.0.0.1	localhost

10.1.1.212	adfs01.int.samdom.de adfs01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

        Checking file: /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.1.1.215
nameserver 10.0.1.215
nameserver 10.2.1.215
search int.samdom.de

-----------

        Checking file: /etc/krb5.conf

[libdefaults]
	default_realm = INT.SAMDOM.DE
	dns_lookup_realm = false
	dns_lookup_kdc = true

-----------

        Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

        Checking file: /etc/samba/smb.conf

[global]
	netbios name = ADFS01
	security = ADS
	workgroup = SAMDOM
	realm = INT.SAMDOM.DE

	logfile = /var/log/samba/%m.log
	log level = 1

	# Default idmap config used for BUILTIN and local windows accounts/groups
	idmap config *:backend = tdb
	idmap config *:range = 2000-9999

	# idmap config for domain SAMDOM
	idmap config SAMDOM:backend = ad
	idmap config SAMDOM:schema_mode = rfc2307
	idmap config SAMDOM:range = 10000-99999

	# Use settings from AD for login shell and home directory
	winbind nss info = rfc2307
	
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes

	kerberos method = secrets and keytab
	dedicated keytab file = /etc/krb5.keytab

	# fileshare options
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

# test share

[test]
	path = /srv/samba/test
	read only = no

[prueflabor]
	path = /srv/samba/prueflabor
	read only = no

[Beratung]
	path = /srv/samba/beratung
	read only = no

[ilims]
	path = /srv/samba/ilims
	read only = no

[Qualitaetsmanagement]
	path = /srv/samba/Qualitaetsmanagement
	read only = no

[Geschaeftsfuehrung]
	path = /srv/samba/Geschaeftsfuehrung
	read only = no

[Vorlagen]
	path = /srv/samba/Vorlagen
	read only = no

[Service]
	path = /srv/samba/Service
	read only = no

[Scan-Dateien-Toshiba]
	path = /srv/samba/Scan-Dateien-Toshiba
	read only = no

-----------

Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
     Warning, /etc/idmapd.conf does not exist

-----------


Installed packages:
ii  acl                                   2.2.52-3 
                   amd64        Access control list utilities
ii  attr                                  1:2.4.47-2 
                   amd64        Utilities for manipulating filesystem 
extended attributes
ii  krb5-config                           2.3 
                   all          Configuration files for Kerberos Version 5
ii  krb5-locales                          1.13.2+dfsg-5ubuntu2.2 
                   all          Internationalization support for MIT 
Kerberos
ii  libacl1:amd64                         2.2.52-3 
                   amd64        Access control list shared library
ii  libattr1:amd64                        1:2.4.47-2 
                   amd64        Extended attribute shared library
ii  libgssapi-krb5-2:amd64                1.13.2+dfsg-5ubuntu2.2 
                   amd64        MIT Kerberos runtime libraries - krb5 
GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64 
1.7~git20150920+dfsg-4ubuntu1.16.04.1           amd64        Heimdal 
Kerberos - libraries
ii  libkrb5-3:amd64                       1.13.2+dfsg-5ubuntu2.2 
                   amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.13.2+dfsg-5ubuntu2.2 
                   amd64        MIT Kerberos runtime libraries - Support 
library
ii  libnss-winbind:amd64 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        Samba 
nameservice integration plugins
ii  libsmbclient:amd64 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        shared 
library for communication with SMB/CIFS servers
ii  libwbclient0:amd64 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        Samba 
winbind client library
ii  python-pylibacl                       0.5.2-2build2 
                   amd64        module for manipulating POSIX.1e ACLs
ii  python-pyxattr                        0.5.3-2build2 
                   amd64        module for manipulating filesystem 
extended attributes
ii  python-samba 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        Python 
bindings for Samba
ii  samba 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        SMB/CIFS 
file, print, and login server for Unix
ii  samba-common 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 all          common 
files used by both the Samba server and client
ii  samba-common-bin 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        Samba 
common files used by both the server and the client
ii  samba-dsdb-modules 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        Samba 
Directory Services Database
ii  samba-libs:amd64 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        Samba core 
libraries
ii  samba-vfs-modules 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        Samba 
Virtual FileSystem plugins
ii  smbclient 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64 
command-line SMB/CIFS clients for Unix
ii  winbind 
2:4.3.11+dfsg-0ubuntu0.16.04.32                 amd64        service to 
resolve user and group information from Windows NT servers

-----------


Collected config  --- 2021-04-29-11:02 -----------

Hostname: addc08
DNS Domain: int.samdom.de
FQDN: addc08.int.samdom.de
ipaddress: 10.1.1.215

-----------

Kerberos SRV _kerberos._tcp.int.samdom.de record verified ok, sample 
output:
Server:		10.1.1.215
Address:	10.1.1.215#53

_kerberos._tcp.int.samdom.de	service = 0 100 88 addc12.int.samdom.de.
_kerberos._tcp.int.samdom.de	service = 0 100 88 addc16.int.samdom.de.
_kerberos._tcp.int.samdom.de	service = 0 100 88 addc08.int.samdom.de.
_kerberos._tcp.int.samdom.de	service = 0 100 88 addc13.int.samdom.de.
Samba is running as an AD DC

-----------
        Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.9 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
     link/ether 52:54:00:77:6c:f9 brd ff:ff:ff:ff:ff:ff
     inet 10.1.1.215/24 brd 10.1.1.255 scope global ens3
     inet6 fe80::5054:ff:fe77:6cf9/64 scope link

-----------
        Checking file: /etc/hosts

127.0.0.1	localhost
127.0.1.1	addc08.int.samdom.de addc08

10.1.1.215	addc08.int.samdom.de

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

        Checking file: /etc/resolv.conf

domain int.samdom.de
search int.samdom.de
nameserver 10.1.1.215

-----------

        Checking file: /etc/krb5.conf

[libdefaults]
	default_realm = INT.SAMDOM.DE
	dns_lookup_realm = false
	dns_lookup_kdc = true

-----------

        Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

        Checking file: /etc/samba/smb.conf

# Global parameters
[global]
	workgroup = SAMDOM
	realm = int.samdom.de
	netbios name = ADDC08
	server role = active directory domain controller
	dns forwarder = 10.1.1.1
	idmap_ldb:use rfc2307 = yes
	server signing = Auto
	allow dns updates = nonsecure

[netlogon]
	path = /var/lib/samba/sysvol/int.samdom.de/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

-----------

BIND_DLZ not detected in smb.conf

-----------

Installed packages:
ii  acl                                  2.2.53-4 
amd64        access control list - utilities
ii  attr                                 1:2.4.48-4 
amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                          2.6 
all          Configuration files for Kerberos Version 5
ii  krb5-locales                         1.17-3+deb10u1 
all          internationalization support for MIT Kerberos
ii  libacl1:amd64                        2.2.53-4 
amd64        access control list - shared library
ii  libattr1:amd64                       1:2.4.48-4 
amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64               1.17-3+deb10u1 
amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64             7.5.0+dfsg-3 
amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                      1.17-3+deb10u1 
amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                1.17-3+deb10u1 
amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64                 2:4.11.17+dfsg-0.1buster1 
amd64        Samba nameservice integration plugins
ii  libpam-winbind:amd64                 2:4.11.17+dfsg-0.1buster1 
amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64                   2:4.11.17+dfsg-0.1buster1 
amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                   2:4.11.17+dfsg-0.1buster1 
amd64        Samba winbind client library
ii  python3-samba                        2:4.11.17+dfsg-0.1buster1 
amd64        Python 3 bindings for Samba
ii  samba                                2:4.11.17+dfsg-0.1buster1 
amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                         2:4.11.17+dfsg-0.1buster1 
all          common files used by both the Samba server and client
ii  samba-common-bin                     2:4.11.17+dfsg-0.1buster1 
amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64             2:4.11.17+dfsg-0.1buster1 
amd64        Samba Directory Services Database
ii  samba-libs:amd64                     2:4.11.17+dfsg-0.1buster1 
amd64        Samba core libraries
ii  samba-vfs-modules:amd64              2:4.11.17+dfsg-0.1buster1 
amd64        Samba Virtual FileSystem plugins
ii  smbclient                            2:4.11.17+dfsg-0.1buster1 
amd64        command-line SMB/CIFS clients for Unix
ii  winbind                              2:4.11.17+dfsg-0.1buster1 
amd64        service to resolve user and group information from Windows 
NT servers

-----------



On 4/29/21 10:57 AM, L.P.H. van Belle via samba wrote:
> hmm, config look ok from what i see below,
> 
> Can you run this :
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> 
> And post the content, if you anonymize it, keep structures/Caps as the are.
> Like INTERNAL.REALM.TLD of WORKGROUP
> 
> Im on road in few min, so im will reply later.
> 
> 
> Greetz,
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
>> Zachlod via samba
>> Verzonden: donderdag 29 april 2021 10:35
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Kerberos problems with only some servers
>>
>> Yes, time is OK:
>>
>> root at adfs01:~# date -R
>> Thu, 29 Apr 2021 10:33:37 +0200
>>
>> root at addc08:~# date -R
>> Thu, 29 Apr 2021 10:33:47 +0200
>>
>> On 4/29/21 10:29 AM, L.P.H. van Belle via samba wrote:
>>> Is time in sync?
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
>>>> Zachlod via samba
>>>> Verzonden: donderdag 29 april 2021 10:08
>>>> Aan: samba
>>>> Onderwerp: [Samba] Kerberos problems with only some servers
>>>>
>>>> Hi,
>>>>
>>>> I have a weird Kerberos problem (I think) that pretty much
>>>> came over night.
>>>>
>>>> I have a domain with multiple DCs (Debian/Samba 4.11), all in
>>>> different
>>>> AD Sites. Replication works according to 'samba-tool drs showrepl'.
>>>>
>>>> In the sites I have Linux based fileservers as domain members and
>>>> Windows based clients. Somehow, it's not possible anymore
>> to log into
>>>> some of the file servers. On Windows, the Client just asks
>>>> for username
>>>> + password, and if you give both, it won't get accepted.
>>>>
>>>> On the file server, I get these log entrys:
>>>>
>>>> [2021/04/29 09:39:37.439432,  1]
>>>> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>>>>      gss_accept_sec_context failed with [ Miscellaneous failure (see
>>>> text): Decrypt integrity check failed for checksum type
>>>> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
>>>> [2021/04/29 09:39:37.439817,  1]
>>>> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>>>>      SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>> wbinfo -u also returns empty on the file server, but not on
>>>> any of the
>>>> DCs. I'm a bit puzzled and don't really know what to do/ how
>>>> to debug.
>>>> Has anyone any idea how to debug this situation any further?
>>>>
>>>> - Arne
>>>>
>>>> ====== krb5.conf - same on all servers
>>>>
>>>> [libdefaults]
>>>> 	default_realm = INT.SAMDOM.DE
>>>> 	dns_lookup_realm = false
>>>> 	dns_lookup_kdc = true
>>>>
>>>> ====== smb.conf fore the DC ========
>>>>
>>>> # Global parameters
>>>> [global]
>>>> 	workgroup = SAMDOM
>>>> 	realm = int.samdom.de
>>>> 	netbios name = ADDC08
>>>> 	server role = active directory domain controller
>>>> 	dns forwarder = 10.1.1.1
>>>> 	idmap_ldb:use rfc2307 = yes
>>>> 	server signing = Auto
>>>> 	allow dns updates = nonsecure
>>>>
>>>> [netlogon]
>>>> 	path = /var/lib/samba/sysvol/int.samdom.de/scripts
>>>> 	read only = No
>>>>
>>>> [sysvol]
>>>> 	path = /var/lib/samba/sysvol
>>>> 	read only = No
>>>>
>>>> ===== smb.conf on one of the FS ====
>>>>
>>>> [global]
>>>> 	netbios name = ADFS01
>>>> 	security = ADS
>>>> 	workgroup = SAMDOM
>>>> 	realm = INT.SAMDOM.DE
>>>>
>>>> 	logfile = /var/log/samba/%m.log
>>>> 	log level = 1
>>>>
>>>> 	idmap config *:backend = tdb
>>>> 	idmap config *:range = 2000-9999
>>>>
>>>> 	# idmap config for domain SAMDOM
>>>> 	idmap config SAMDOM:backend = ad
>>>> 	idmap config SAMDOM:schema_mode = rfc2307
>>>> 	idmap config SAMDOM:range = 10000-99999
>>>>
>>>> 	# Use settings from AD for login shell and home directory
>>>> 	winbind nss info = rfc2307
>>>> 	
>>>> 	winbind enum users = yes
>>>> 	winbind enum groups = yes
>>>> 	winbind use default domain = yes
>>>> 	winbind refresh tickets = yes
>>>>
>>>> 	kerberos method = secrets and keytab
>>>> 	dedicated keytab file = /etc/krb5.keytab
>>>>
>>>> 	# fileshare options
>>>> 	vfs objects = acl_xattr
>>>> 	map acl inherit = yes
>>>> 	store dos attributes = yes
>>>>
>>>> # test share
>>>>
>>>> [test]
>>>> 	path = /srv/samba/test
>>>> 	read only = no
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
> 



More information about the samba mailing list